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Abstract. Quantum computers can execute algorithms that sometimes dra- 
matically outperform classical computation. Undoubtedly the best-known ex- 
ample of this is Shor's discovery of an efficient quantum algorithm for factor- 
ing integers, whereas the same problem appears to be intractable on classical 
computers. Understanding what other computational problems can be solved 
significantly faster using quantum algorithms is one of the major challenges in 
the theory of quantum computation, and such algorithms motivate the formi- 
dable task of building a large-scale quantum computer. This article will review 
the current state of quantum algorithms, focusing on algorithms for problems 
with an algebraic flavor that achieve an apparent superpolynomial speedup 
over classical computation. 
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1. Introduction 



Ever since Shor j20j showed in 1994 that a quantum computer can efficiently 
factor integers and calculate discrete logarithms, many more quantum algorithms 
have been discovered. In this article, we review some quantum algorithms and 
the problems that they try to solve such as the discrete logarithm problem, the 
Abelian and non-Abelian hidden subgroup problem, the point counting problem of 
finite field equations, and so on. A significant number of these algorithms follow 
the set-up of Shor's algorithm, which can be described as follows. 

1. Given a function F : G ^ S, create the superposition 



where G is a finite group and is a set. 

2. Apply a unitary transformation [/ : ^ i— > '5', such as the quantum Fourier 
transform. 

3. Measure in the computational basis. 

Several quantum algorithms that we will discuss use notions from number theory, 
algebra and group theory. To help the reader's understanding of such algorithms, 
we will give several brief expositions of these topics. This article is based on [i] 
where the reader can find further details. 

The article is organized as follows. In Section [21 we introduce modular arith- 
metic. In Sections [3] and H] we introduce Shor's algorithm for the period finding 
and the discrete logarithm problem. In Section [5] we treat the Abelian hidden sub- 
group problem and introduce some necessary notions to understand the quantum 
algorithm for the Abelian hidden subgroup problem. In Section [71 we describe the 
elliptic curve problem and its corresponding discrete logarithm problem, and in 
Section [9l we discuss the quantum algorithm for efficiently solving Pell's equation. 
Section [TOl introduces the non-Abelian version of the quantum Fourier transform 
and discuss the status of the non-Abelian version of the hidden subgroup problem. 

Acknowledgements. These notes are based on a series of lectures by WvD for the 
2010 Summer School on Diversities in Quantum Computation/Information at Kinki 
University, Higashi-Osaka, Japan, which was organized by Mikio Nakahara. This 
material is based upon work supported by the National Science Foundation under 
Grant No. 0747526 and by a grant from the Army Research Office with contract 
number W911NF-04-R-0009. 



We must first introduce a little group theory for a better understanding of many 
quantum algorithms. A group is a combination of a set with a binary operation on 
its elements that obeys certain required group properties. For our purposes here, 
an important instance of a finite group is the residue class of integers modulo N 
with addition as its group operation. 

Modular arithmetic, (mod N), is understood through a congruence relation on 
the integers Z, where for integers a, b we have 



I*) 




1 



2. Modular arithmetic and Residue class of 



a=b (mod N) if and only if — a ca be divided by N. 
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Example 1. It should be easy to see that 5 = 2 = — 1 (mod 3), 3 = 15 (mod 12), 
and 341 = 1 (mod 10). 

Note that modular arithmetic is properly defined for addition, subtraction and 
multiplication. Hence we have for example, 2x7=1 (mod 13) and {x + y)^ = 
+ y"^ (mod 2). 

Modulo N arithmetic classifies the integers Z into N different equivalence classes, 
which can be indicated by the residues of integers when divided by N. We thus 
have 

•L/NZ := {0, l,...,iV- 1} 

where represents NIj = {. . . ,—N,0,N, 2N, . . .}, the value 1 represents 1 + NZ = 
{. . . , -iV + 1, 1, + 1, 27V + 1, . . . }, and so on. 

As mentioned above, modular arithmetic satisfies additiion and multiplication. 
Therefore we can define such arithmetics in Z/NZ by 

a + b (mod N), a-b (mod TV). 

Note that for each element a in Z/7VZ, there exists an additive inverse element b 
(such that a + b = (mod iV)) in Z/NZ, that is, N — a. It is straightforward 
to verify that addition in Z/NZ makes up a finite Abelian group. What about 
multiplication in Z/NZ? 

Let us compare Z/5Z with Z/6Z. The number 2 does not have a multiplicative 
inverse mod6, but it does for mod5. It can be shown that a number y has a 
multiplicative inverse z (such that yz = 1 (mod A'')) if and only if the greatest 
common divisor of y and N obeys gcd{y,N) = 1. If gcd{y,N) > 1, then there 
exists a nonzero z such that yz = mod N. For instances, 2x3 = 1 (mod 5) and 
2x3 = (mod 6). Hence, we see that the set 

(Z/iVZ)"" := {a e Z/NZ \ gcd(a,7V) = 1} 

forms a group with respect to multiplication, which is called the modulo N multi- 
plicative group. 



3. Period Finding Implies Factoring 

Perhaps the best-known application of quantum computers is its efficient solution 
to the problem of factoring integers. To explain a closely related algorithm for 
factoring integers due to Miller, we first introduce the period finding problem for 
the sequence x^, x^, . . . mod N. 

For any x G (Z/NZ)^ , we have an r-periodic sequence = l,x^ ,x^ , . . . jX"^ = 

l,x, The period r is called the multiplicative order of x in Z/NZ and it is a 

divisor of the Euler's totient value of N 

<i>{N):=\{Z/NZr\=N n (l--)' 

V\N ^ 
p:prime 

which expresses the size of the multiplicative group modulo N . As an example, 
for 4 e (Z/9Z)^, we have a sequence 1 = 4°,4 = 4\7 = 4^,1 = 4^, 4 = 4"*, . . . 
(mod 9). Therefore, the period of 4 in (Z/9Z)^ is 3, a divisor of (/-(9) = 9(1-1/3) = 
6. 
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3.1. Factoring N — Miller's algorithm. 

Theorem 1 (Miller, 1976). For a given odd integer N with at least two distinct 
prime factors, we can determine a nontrivial factor of N as follows: 



3. 



Pick up a random a G {2, 3, . . . , — 1}. 

Compute gcd{a, N). If the result is different from 1, then it is a nontrivial factor 
of N , and we are done. More likely, gcd(a, iV) = 1, and we continue. 
Using a period finding algorithm, determine the order r of a m,od,ulo N. If r is 
odd, the algorithm has failed, and we return to step 1. If r is even, we continue. 
4- Compute gcd(a''/^ — 1, A^). If the result is different from 1, then it is a nontrivial 

factor of N . Otherwise, return to step 1. 
By repeating this routine we can find all factors of N . 

With the following lemma, Miller showed that if Step 3 can be executed effi- 
ciently, then the above algorithm as a whole is efficient. 

Lemma 1. Suppose a is chosen uniformly at random from {'L/N'L)^ , where N is 
an odd integer with at least two distinct prime factors. Then with probability at least 
1/2, the multiplicative order r of a modulo N is even, and a^l"^ ^ — 1 (mod N). 

Exercise 1 (Factoring N = 21). For all a G Z/21Z figure out what the sequence 
a°, a^, . . . tells us about the factors of N = 21. Which a have gcd(a, 21) = 1, What 

are the periods? Which a give us useful information? 

Answer 1. A modulo multiplication group of Z/NZ equals (Z/21Z)^ := {a € 
Z/21Z I gcd(a,21) = 1} = {1,2,4,5,8,10,11,13,16,17,19,20}. The following 

table gives, for all a G (Z/21Z)^, the sequences of values , the periods r of these 
sequences, and whether or not this r is useful in determining a nontrivial factor of 
21; 



a\3 





1 


2 


3 


4 


5 


6 


period r 


useful? 


1 


1 


1 


1 


1 


1 


1 


1 


1 


N 


2 


1 


2 


4 


8 


16 


11 


1 


6 


Y 


4 


1 


4 


16 


1 


4 


16 


1 


3 


N 


5 


1 


5 


4 


20 


16 


17 


1 


6 


N 


8 


1 


8 


1 


8 


1 


8 


1 


2 


Y 


10 


1 


10 


16 


13 


4 


19 


1 


6 


Y 


11 


1 


11 


16 


8 


4 


2 


1 


6 


Y 


13 


1 


13 


1 


13 


1 


13 


1 


2 


Y 


16 


1 


16 


4 


1 


16 


4 


1 


3 


N 


17 


1 


17 


16 


20 


4 


5 


1 


6 


N 


19 


1 


19 


4 


13 


16 


10 


1 


6 


Y 


20 


1 


20 


1 


20 


1 


20 


1 


2 


N 



3.2. Shor's Algorithm. Shor (1994) proved that period finding can be done ef- 
ficiently with a quantum algorithm. As part of this proof, he had to show how to 
efficiently implement the Quantum Fourier Transform (QFT) over Z/A''Z: 

Hero is a sketch of Shor's algorithm. 

Algorithm 1 (Period Finding). Let f : "L/Nl, S an r-periodic function with 
f{x) = f{y) if and only if {x — y)lr e Z and r\N. 
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(1) Create the superposition 



(2) By tracing out the right register, the left register is equivalent to 

# E \s + jr) 

^ je{o,i:...,^v/r-i} 

for a random and unknown s G {0, . . . , r — 1}. 

(3) Apply the QFT over Z/iVZ to the quantum state, yielding 



1 J2 e^''''^/''\kN/r). 



ir 

" fce{0,l,...,r-l} 

(4) Sampling the state will gives us kN/r for some random and unknown k G 
{0,...,r-l}. 

(5) By repeating the above procedure several times, a number of multiples of N/r 
will be obtained. By taking the gcd of these outcomes we learn, with high prob- 
ability, the value N/r and hence r itself. 

Combining the quantum algorithm for cfBcicntly finding periods with Miller's 
algorithm thus gives us an efficient algorithm for factoring integers. 



4. Discrete Logarithm Problem 

In Section [3] we looked at the problem of determining the period for a given a in 
(Z/NZ)^ of the sequence a° = 1, a, a^, a^, . . . , a^'-^, = 1, . . . . Here we consider 
the problem of finding I such that = x mod N for given a and x in (Z/NZ)^ . 
The discrete logarithm of x with respect to a, denoted dlogQ(a;), is the smallest 
non-negative integer £ such that = x (mod N). 

This dlog problem can be generalized in the following way. Let C ^ (g) — {g^ = 
1, g, g"^ , . . . } be a cyclic group generated by g. Then, the discrete logarithm base g 
of X G C is denoted by dlogg(x) and it is again the smallest non- negative integer 
I such that g^ = x. The discrete logarithm problem is the problem of calculating 
dlogg X for a given x € C = (g). 

4.1. Shor's algorithm for calculating discrete logarithms. Although the prob- 
lem appears to be difficult for classical computers, quantum computers can calculate 
discrete logarithms efficiently. We describe Shor's algorithm [20] for discrete log- 
arithm below. For simplicity, we assume that the order of the group N :— \C\ is 
known. In fact, we can determine it efficiently using Shor's algorithm for period 
finding over Z (see H § IV.D.]). 

Algorithm 2 (Discrete logarithm). 

(1) Create the uniform superposition 

\Z/NZ,Z/NZ) ^ ^ J2 \a,b). 

a,be1/NZ 
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(2) Define f : Z/NZ x Z/NZ C as follows: 

f{a,b)^x-g\ 

Note that f{a, h) = f{c, d) if and only if (a — c) dlog^ x — (d—b). Compute this 
function in an ancilla register, giving 

a,beZ/NZ 

(3) Discard the ancilla register, giving the state 

-7^ l«'C-adlogga;), 

^ a£Z/NZ 

for an unknown c. 

(4) Perform a Quantum Fourier Transform over Z/NZ x Z/NZ to the two registers 
and measure its state, which will yield the outcome (7 dlog^ x, 7) for an arbitrary 

7 e Z/NZ. 

(5) Repeat the above steps, thus obtaining another pair of values (7' dlog^ 7'). 
With probability at least G/tt^ « 0.61 the factors 7 and 7' will be co-prime, 
hence with the same probability the value gcd(7dlogg a;, 7' dlog^ a:) will equal 
the desired outcome dlog^ x. 

4.2. Cryptographic Consequences. Being able to calculate discrete logarithms 
over Z/NZ implies being able to break the Diffie-Hellman key-exchange protocol 
(as well as the ElGamal protocol). Unlike our quantum algorithms, the best known 
classical algorithm (the Number Field Sieve) has, in both cases, a proven running 
time of 20(ViogiviogiogA/) ^^^^ ^ conjectured running time of 2^^^°^'^^ ^(logiogjv)^/^)^ 

Note that the bounds on the classical algorithm are upper bounds, not lower 
bounds. To find a method of proving that there is no efficient classical algorithm 
for factoring or discrete logarithms, is one of the major unresolved challenges in 
computational number theory. 

Factoring and the discrete logarithm problem are so-called natural problems, 
where the problem statement contains complete information about the problem {N 
or N, g, t). In contrast, black-box problems have part of the computational problem 
hidden in a black-box that must be queried to find a solution. In this setting, it was 
proven by Cleve [S] that the classical lower bound for the period finding problem 
is il,{N^^^ /y/log N), while quantum mechanically we can solve the same problem 
with (logiV)'^^^-' quantum queries. 

5. Abelian Hidden Subgroup Problem 

Algorithms [T] and [2] solve particular instances of a more general problem, the 
Abelian hidden subgroup problem (Abelian hsp). Here we will describe this problem 
and its efficient quantum solution in its generality. 

Let be G a finite Abelian group and consider a function F : G — ?> 5, where S is 
some finite set. We say that F hides the subgroup _ff < G if for all x,y ^ G we 
have 

F{x) = F{y) if and only ii x — y E H. 

In other words, F{x) = F{h -f x) holds if and only ii h E H. To understand this 
situation well, it is helpful to look at the cosets Hr of H in G, which are defined 
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by Hr := r + H = {r + h : h Cz H}. The coset decomposition of G in terms of H 
refers to a mutually disjoint set of cosets {Hr : r} such that |J^ Hr = G. 

Example 2. Take G = Z/6Z := {0,1,2,3,4,5} and H = {0,3} < G. Then we 
see that G can be decomposed as G — Hq U Hi U H2, where Hq :— + H = {0, 3}, 
Hi :— 1 + H = {1, 4}, and H2 := 2 + H = {2, 5} are mutually disjoint cosets of H . 

Going back to the Hidden Subgroup Problem, we see that a function F that 
hides H is constant function on each coset r + H and injective on the different 
cosets r + H. In the Abelian hsp, we are asked to find a generating set for H given 
the ability to query the function F. For every different kind of group G and its 
possible subgroups H, this is a different kind of problem. 

5.1. Character and Dual group. To explain the efficient quantum solution to 
the Abelian hsp, we have to introduce the notion of a character over the finite 
Abelian group. For a finite Abelian group G, a character over G is a function 
^' : G — >■ := {z g C I \z\ — 1} with the property that for all x,y G G we have 
'i/{x + y) = ^(a;)^(y). The set of all possible characters over G is denoted by 

G {^I^ : G ^ C is a character over G}, 

called the dual group of G. The trivial character of G is the unit function 5'(a;) = 1. 

Example 3. In the case of G = Z/NZ we have the characters "^aix) = e^^'°^/^ 
for a G {0,1,..., — 1} with a = yielding the trivial ^ = id. We can also 
define a group operation o on G by o showing that (G, o) is isomorphic to 

Z/NZ = G, and hence \G\ = \G\. 

The above isomorphism between G and G is no coincidence, as for all finite 
Abelian groups we have G ~ G. As another example, consider a finite cyclic group 
G :— {l,g,g^, . . . ,g^~^} of size r generated by g. Now the r different characters 
of G are the functions defined by vE'a(ff'') = e^'"'"''/'' for all a, fc{0, . . . , r - 1}. 
Again the dual group G forms a group with respect to the composite of mapping 
{^a o '^b{x) = *a(2^) • *6(a;) = ^ a+bix) for X e G. As G ~ Z/rZ we have again 
G G ~ Z/rZ and consequently |G| = |G|. 

Characters have several useful properties, the following which are fundamental 
tools to describe quantum algorithm for the finite Abelian hsp. 

Lemma 2. Let G be a finite Abelian group and H a subgroup of G. For each 
character 'J on G, we have 

1 v-^ , , 11 if is trivial 
\ \i>(x) — < 

IGI ^—^ 10 if is nontrivial 

More specifically we have 




1 if is trivial on H 

if is nontrivial on H . 



5.2. Quantum Fourier transform for Abelian Groups. In Section|3l we have 
described the quantum Fourier transform over Z/NZ. This transformation can 
be generalized to any finite Abelian group by using the characters over G. For 
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each finite Abelian group G, we define the unitary quantum Fourier transform 

Y |G| 

for each x € G. If we know enough about G, we can implement this efficiently in 
poly(log \G\) steps. The quantum Fourier transform will help us solve the general 
Abelian hidden subgroup problem. 

5.3. Solving Abelian Hidden Subgroup Problem. 

Algorithm 3. Let G be a finite Abelian group and let be F : G ^ S be a func- 
tion that hides a subgroup H < G. The following efficient quantum algorithms 
determines (a set of generators of) H. 

(1) Create the superposition: 



^Y\x,F{x)) 



When ignoring the right register and since F hides H , the left register can be 
described by 

\s + H) :-- 




for an unknown s. 
(2) Apply the quantum Fourier transform over G to the left register, 



H) ^ 





(3) Note that only the ^!s that are trivial on H survive the summation x G H. 
Hence when measuring the register, we will only observe such ^!s of which there 
are \G\/\H\. 

(4) By repeating the above procedure (log |G'|)'^'-^' times, we obtain enough infor- 
mation, through the observed characters that are trivial on H to reconstruct 
H. 

5.4. Hidden Periodicity Problem over Z. In the previous section, we saw how 
the Abelian hidden subgroup problem can be solved efficiently over any known 
finite Abelian group. An important generalization of this problem is the hidden 
periodicity problem over Z, where is a function defined over Z with a period p, 
i.e. F{x) = F{y) if and only if x = y mod p. With G the infinite Abelian group 
Z and H = pi its subgroup, this is yet another instance of the Hidden Subgroup 
Problem, but this time for infinite groups. As explained, for example, in [4j §IV.D] 
Shor [20] showed how to find the period p hidden by F efficiently in time poly(logp) 
on a quantum computer. 
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5.5. Decomposing Abelian Groups. It is known that any finite Abelian group 
(G, +) has a decomposition 

Suppose we are given imphcitly the encoding i? : G — > 5 of a finite AbeUan group 
(G, +), with the properties: 

(1) E{g) is an injection (i.e. E{h) — E{g) implies g = h). 

(2) Given E{g) and E{h) you can compute E{g + h) and E{-~g). 

Then there exists a quantum algorithm to solve the encode E efficiently. Further, 
we can find the above decomposition by this algorithm. Watrous f2l] generalized 
this quantum algorithm to all "solvable" finite groups. 

6. Fields 

In this section we turn out attention to quantum algorithms that deal with fields 
instead of groups. A typical example of a field is given by the set of rational numbers 
Q, which is closed for addition and multiplication, and each rational number x has 
an additive inverse number y and a multiplicative inverse number z such that 
x + y — Q and x ■ z = 1. In general a field is a set that is closed under an addition 
(+) and a multiplication (•) operation 

+ : F X F F, {x,y) ^ X + y, 
• : F X F — > F, {x,y) i-^ X ■ y 

and that satisfies that any a, &, c,u^v € F, 

(1) a + {b + c) = {a + b) + c, a ■ {b ■ c) = {a ■ b) ■ c (Associative), 

(2) a + & = fe + a, a ■ b ^ b ■ a (Commutative), 

(3) u ■ (a + b) ~ u ■ a + u ■ b, {u + v)-a^u-a + v- b (Distributive) 

(4) There exist elements and 1 such that a + = + a = a and a • 1 = 1 • a 
for all a € F. Such elements are unique and called the zero element and 
the unit element, respectively. 

(5) For each a in F, there exists an element 6 in F such that a + b = b + a~0. 
This element is called an additional inverse element of a. 

(6) For each a in F\{0}, there exists an element c in F such that a-c = c-a = 1. 
This element is called a multiplicative inverse element of a. 

Unsurprisingly, when the number of elements in F is finite, F is called a finite field. 
Given a finite size q = \F\ there can essentially be only one field with that size, and 
we denote this finite field by F,. It is known that when F is a finite field, it must 
hold that |F| = p" with p a prime integer, and n € N. 

Example 4. The following examples and counterexamples of fields are standard. 

1. Q, R, C are fields. However Z is not a field as not all integers have a multiplica- 
tive inverse in Z. 

2. For any prime number p, Z/pZ is a finite field and we often write Fp instead of 
Z/pZ. 

3. For N a composite number, li/NIi is not a finite field. 

Exercise 2. Let be F4 — {0, Write down its addition and multiplication 

tables. 
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Answer 2. We start with the multiplication table for all a,b ^ F4; 



a ■ b 


6 = 


6=1 


b = X 


b = y 


= 














= 1 





1 


X 


y 


a = X 





X 


x^ 


xy 


a = y 





y 


yx 





Our task is to determine the values on the bottom right 2x2 block in the above 
table. If xy = y, we have x = 1 since y has an inverse element, which implies a 
contradiction. Similarly xy is not equal to x and hence we have xy = 1. As this 
implies that yx = 1 we see that x^ and y^ must be y and x, respectively. Hence the 
following multiplication table for a, 6 e F4 is the correct one. 



a ■ b 


6 = 


6=1 


b = X 


b = y 


a = 














a= 1 





1 


X 


y 


a = X 





X 


y 


1 


a = y 





y 


1 


X 



What remains is to determine the rules for addition in ¥4. As ¥4 is an extension 
field of ¥2 we have 1 + 1 = 2 = (mod 2), which gives the following table for a + b 
for all a, 6 G F4 



a 


+ b 


6 = 


6 = 1 


b = X 


b 




y 


a 


= 





1 


X 




y 




a 


= 1 


1 





l+X 


1 


+ 


y 


a 


= X 


X 


x + l 





X 


+ 


y 


a 


= y 


y 


y + 1 


y + x 










As in the case of the multiplicative calculation, 1 + x is not equal to 0, 1 andx, and 
hence we have 1 + x = x+ \ = y, which shows that x + y = 1 and 1 + y = y+1 = x. 
Hence we end up with this table: 



a + b 


6 = 


6 = 1 


b = X 


b = y 


a = 





1 


X 


y 


a=l 


1 





y 


X 


a = X 


X 


y 





1 


a = y 


y 


X 


1 






6.1. Field extensions. Note that the field of real numbers M is included in the 
field of complex numbers C. In general, when a field K contains a field F as a 

subset, F is called a subfield of K. Conversely, K is called an extension field of F. 
In this example, the extension field K of F can be viewed as a vector space over F 
and its dimension is called the degree of K over F. The complex numbers C is an 
extension field of M with degree 2. Another way of understanding such algebraic 
extensions is by viewing C as M extended with the solution of the degree 2 equation 
X^ + 1 = 0, which allows us to write C = R{X'^ + 1). Similarly, the finite field F4 
is a degree 2 extension of F2 with an X such that X"^ + X = 1. Continuing with 
this idea, F4 can be further extended to Fig and in general, Fg is an extension of 
¥q if and only if s is an integral power of q. 
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6.2. Number Fields. A complex number a is an algebraic number if a satisfies 
some monic polynomial with rational coefficients, 

p{a)=0, p{x) = + Cix"-'^ + ■ ■ ■ + Cn-iX + Cn = (cj € Q). 

In particular, a is an algebraic integer if a satisfies some monic polynomial with 
integral coefficients. Any (usual) integer z G Z is an algebraic integer, since it is 
the zero of the linear monic polynomial p{x) = x — z. 

A number field is an extension of Q with some algebraic numbers. For instance, 

K = Q(v^) := {a + bV^ | a, & € Q} 

is a quadratic number field of degree 2, since is a root of the equation x^+S = 0. 
The set of algebraic integers contained in a number field JC, is called the ring of 
integers Ok of K. One can show that Ok is a ring. 

For example, the ring of integers of Q is Z and that of Q{y/rn) (m is a square-free 
integer) is 

^Q(v^) = {a + buj \ a,b e Z}, 

where 

{y/m ifm=2, 3 (mod 4), 
ifm=l (mod 4). 

Note that, unlike Z, a ring of integers of K in general does not satisfy the unique 
factorization property. For example, 6 = 3x2 = (1 + \/^)(l — y/^) in ^^q(v^)- 

7. Elliptic Curve Cryptography 

7.1. Elliptic Curves. Let if be a field and consider the cubic equation = 
X^-|-aX^+6-^+c with a,b,c& K. If this equation is nonsingular, the corresponding 
elliptic curve E{K) is the set of its solutions {X, Y) e K'^ combined with "the point 
at infinity" 0\ 

E{K) := {{X, Y)&K'^\Y^=X^ + aX^ + bX + c]V^ {£»}. 

By suitable linear transformations, any elliptic curve can be rewritten in the form 
of the Weierstral3 equation 

Y'^ = X^ + aX + l3 {a,PeK). 

Exercise 3. Consider an elliptic curve defined by Y^ = X^ + 'IX + 1 over F5. List 
the solutions {X,Y) e F|. 

Answer 3. 

E{¥^) :={(X, y) I y2 = + 2X + 1} U {O} 

={(0, 1), (0, 4), (1, 2), (1, 3), (3, 2), (3, 3), O}. 

Surprisingly, for the elements of E{K) we can define an addition operation. To 
make the definition of addition easier to understand, we will consider elliptic curves 
over M for the moment. Given two points P,Q G E, their sum P + Q is defined 
geometrically as follows. First assume that neither point is O. Draw a line through 
the points P and Q oy, if P = Q draw the tangent to the curve at P and let denote 
R the third point of intersection with E{K) (if the line is parallel to X = 0, we 
have the intersection R = O). Then we define P + Q by the reflection of R about 
the X axis, where the reflection of O is itself. If one of P or Q is O, we draw a 
vertical line through the other point, so that P + O = P, showing that O is the 
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zero element. Reflection about the X axis corresponds to negation, so we can think 
of the rule as saying that the three points of intersection of a line with E{K) sum 
to O. 

The above geometrical introduction does not necessarily make sense for other 
fields. Nevertheless, we can take the same structure for any field K by translating 
the above argument in terms of coordinates in K^. Let be P = {xp,yp) and 
Q = {xQ , yg ) . Provided xp ^ xq, the slope of the line through P and Q is 

^ ^ VQ - VP 

XQ - Xp 

Computing the intersection of this line with the elliptic curve we find 

XP+Q = - Xp - XQ, 

yp+Q = Hxp - xp+q) - yp. 

If Xp = xq, there are two possibilities for Q: either Q — (xQ^yg) — {xp,yp) = P 
or Q = {xq,Vq) ^ {xp, -yp) = -P. If Q = -P, then P + Q ^ O. On the other 
hand, ii P — Q, that is, if we are computing 2P, then the two equalities hold with 
A replaced by the slope of the tangent to the curve at P, namely, A = ° ' unless 
yp = 0, in which case the slope is infinite, so 2P = O. 

7.2. Elliptic Curve Cryptography. The discrete logarithm problem for an el- 
liptic curve E defined over a finite field F is described as follows. Given two points 
P and Q in E, how many times r G N do we need to add P to get 

rP = P+--- + P = Q7 

" V ' 

r 

This problem appears harder than the discrete logarithm over {Z/NZ)^ and the 
best known classical algorithm for this problem has a time complexity of 
As a result, elliptic curve cryptography systems that rely on the hardness of the 
discrete logarithm over elliptic curves allow smaller keys. An example of such a 
system supported by Certicom and is used in Blackberries. 

Our quantum algorithm for solving the Hidden Subgroup Problem over (E, +) 
still applies however, and thus allows us to break this crypto-system as well. For 
more details on the implementation of Shor's algorithm over elliptic curves, see 
Proos and Zalka [18], Kaye [12], and Cheung et al. [3] 

8. Counting Points of Finite Field Equations 

As in the case of elliptic curve over finite fields, for / S Fq[x,2/] a polynomial in 
two variables with coefficients in Fg, the finite set of zeros of / make a curve. Our 
interest lies with the number of zeros, that is, the number of points of the curve 
Cf := {{x,y) € ¥'^\f{x,y) = 0}. A key parameter characterizing the complexity of 
this counting problem is the size q of the field q{— p' ) and the genus g of the curve. 
For a nonsingular, projective, planar curve /, the genus is g = [d — l)(rf — 2)/2, 
where d — deg(/) is the degree of the polynomial. Elliptic curves have genus 1. 

In the case of the classical algorithm, Schoof [19 described an algorithm to 
count the number of points on an elliptic curve over F^ in time poly (log g). Sub- 
sequent results by Pila [T7|, Adleman and Huang [1] generalized this result to 
hyper-elliptic curves, giving an algorithm with running time (logg)'^'-^ loss) por 
fields Fpr , Lauder and Wan [M] showed the existence of a deterministic algorithm 
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for counting points with time complexity poly(p, r, g). All these classical algorithms 
are bested by the quantum algorithm that Kedlaya [13] developed, which solves the 
same counting problem with time complexity poly((7, log 5). 

8.1. Ingredients of Kedlaya's Algorithm. Kedlaya's algorithm is based on the 
relation between the class group of a curve C/ and the zeros of the Zeta- function 
of /. Let / e ¥q[x,y] be a polynomial and let C/ ~ {x e p2(F,) \f{x) = 0} be 
its smooth curve in the projective plane P^(Fg). The projective plane is defined 
by p2(Fq) {ix,y,z) €F3\{0}}/ = with the equivalence {x,y,z) = {x',y',z') 
if and only if there exists an a G F^ such that {x',y',z') = a{x,y,z). For each 
exponent r S N we define Nr to be the number of zeros of / in (F^r : 

Nr := \{x e P2(F,.) I fix) = 0}|. 

Using these N^, the Zeta- function of a curve C is defined as the power series 

Zc(T):=exp(^f:^.) 

It is not hard to see that knowing Zc implies knowing the values Nr. 

Kedlaya's quantum algorithm exploits the fact that the sizes of the class groups 
of C/ will give us information about the function Zc(T). It is known that these class 
groups are a finite Abelian groups and as was discussed in Section 15.51 quantum 
computers are able to find the structure and size of a given finite Abelian group. 
Through this connection from the size of the class groups, through the properties 
of the Zeta function, Kedlaya's algorithm determines the values Nr efficiently in 
terms of the log q and the degree d of the polynomial /. 

9. Unit Group of Number Fields 

Let be if a number field and Ok the ring of integers of K . The unit group of 
K is the set of all multiplicatively invertible elements of Ok- We denote the unit 
group of K by 

O^ {u e Ok \ G Ok such that u ■ u^^ ^ 1}. 

As an example, let us consider the case of the number field K — and its ring 

of integers 

OQ^^,^ = {a + b^\a,beZ}. 

The element 9 + 4-\/5 is a unit of Q(-\/5) as it has an inverse element in the ring 
of integers: (9 + 4-\/5)(9 — 4-\/5) = 1. Furthermore, all powers (9 ± 4^5)'= will be 
units as well. As an aside, note that these units x ± yVb are exactly the solutions 
to Pell's equation 

x^ — my"^ = 1. 

for m — 5. In general it is known that for m G N and the corresponding real 
quadratic field K = Q{\/m) there exists a fundamental unit Bq G O^ such that 

O^ = {±e'^ I n G Z} 

Quantum computers can exploit the fact that an integer x G Z[y^to] is a unit if 
and only if 
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Hence, the function h{z) — e,'''L\^/rrt\ is periodic with period 7?, := log£o where Eq 
is the above mentioned fundamental unit of Q(v^). Hallgren [TT] showed that 
Shor's original period finding algorithm can be extended to find this period 72. in 
this number field setting. 

10. Non-Abelian Hidden Subgroup Problems 

In the previous sections, we saw that the Abelian Fourier transform can be 
used to exploit the symmetry of an Abelian hidden subgroup problem, and that 
this essentially gave a complete solution. We would like to generalize this to non- 
Abelian groups. 

10.1. Hidden Subgroup Problem. Let be G a non- Abelian group. We say that 
a function F : G — > 5 hides a subgroup H <G '\i for all x,y ^ G 

F{x) — F{y) if and only if x^^y e H. 

In other words, F is constant on left cosets giH, g2H, ... of iJ in G, and distinct 
on different left cosets. The non- Abelian hidden subgroup problem is to determine 
H from F. For every different kind of group G and its possible subgroups H, this 
is a different kind of problem. 

10.2. Example: Graph Automorphism Problem. As an instance of the non- 
Abelian hidden subgroup problem, we describe the graph automorphism problem. 
A graph is an ordered pair G — {V, E) comprising a set V :— {1, . . . , n} of vertices 
or nodes together with a set E of edges, which are 2-element subsets of V such that 
(i, j) S i? C T/^ implies that i and j are connected. 

Let us now consider permutations tt e S'„ of the vertices of G, which are defined 
by ttG = G' = {V,E') with E' = {(7r(j), 7r(j)) | € E). For some permutations 
we will have ttG — G' ~ G, for some others we will have G' ^ G. An automorphism 
of a graph G = (V, E) is a such a permutation with ttG = G. The set of automor- 
phisms of G is a subgroup of the symmetric group of degree Sn and we denote this 
automorphism group by Aut(G). 

The graph automorphism problem is the problem of determining all automor- 
phisms of a given graph G. Using the function F{t:) = ttG defined over the sym- 
metric group, this is a Hidden Subgroup Problem over Syi- 

10.3. Some Representation Theory. To describe potential quantum algorithms 
for the non- Abelian hidden subgroup problem, we have to introduce some notions 
of the representation theory. 

Let be G a finite group. A representation of G over the vector space C" is a 
function p : G ^ GL(C") with the property p{x ■ y) = p{x)p{y) for any x,y G G, 
where GL{C") is the group of all invertible, linear transformations of C", called the 
general linear group of C" . We thus see that p is a homomorphism from the group G 
to the group GL(C"). We can easily show that p(l) = /, which is the n-dimensional 
unit matrix and p{x~^) — p{x)~^. We say that C" is the representation space of 
p, where n is called its dimension (or degree), denoted dp. The 1-dimensional case 
implies that the representations are the characters mentioned in Section [5l Note 
that the general linear group GL(C"') is also non-abelian for n > 2. For all finite 
groups, the representation p is a unitary representation, that is, one for which 
p{x)^^ = p{xy for all x e G. 
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Given two representations p : G ^ V and p' : G ^ V , we can define their direct 
sum, a representation p (B p' : G ^ V (B V of dimension dp^p' = dp + dp' . The 
representation matrices of p © p' are of the form 



p'{x) 



for all X in G. A representation is irreducible if it cannot be decomposed as the 
direct sum of two other representations. Any representation of a finite group G 
can be written as a direct sum of irreducible representations of G. We denote a 
complete set of irreducible representations of G by G. 

Another way to combine two representations is the tensor product. The tensor 
product oi p : G ^ V and p' : G ^ V is p ® p' : G ^ V ® V , a representation of 
dimension dp!^p> = dpdpi . 

Exercise 4. Consider the non-Abelian group G = {A, B) generated, under multi- 
plication, by the following two matrices A and B: 

A = 

How many elements does this group have? A representation is called faithful if for 
allx ^ y we have p{x) ^ p{y), i-e- when p is injective. Find a faithful representation 
withd = 2 for G{A,B). 

Answer 4. Observe the left-action and right-action of A: 
AB 
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Hence, ABA = B. Note that A^ = Is and B"^ = h- Therefore, any element of 
{A, B) can be expressed as A^B'^ with I G {0, 1, 2} and k G {0, 1}, which means that 
\{A,B)\=6. 

The second problem is how to find a representation p over {A, B) . For this pur- 
pose, we exploit the algebraic properties A^ = and B^ ~ I3. Since p satisfies 
p{XY) = p{X)p[Y) and ^(/a) = I2, the images of A and B for p must satisfy 
p{A)^ = I2 and p{BY = Therefore, this problem is equivalent to finding ele- 
ments p{A) = S and p{B) = T in GL2{C), such that S'^ = I2, = I2 o,rid all 
gij'k ^j.g different. These requirements are met, for example, by the following two 
matrices 

e-2'^'/3 ) and T=^^ ^ 

10.4. Non-Abelian Fourier transform. For a finite non-Abelian group G, we 
define the \G\ dimensional quantum Fourier transform over G for every x G G by 

k) ^ ^^^dp\p,p{x)), 

where \p) is a state that labels the irreducible representations, and \p{x)) is a 
normalized d^-dimensional state whose amplitudes are given by the matrix entries 
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of the dp X dp matrix p{x): 



\p{x)) ■.={pix) (g> Idp)Y, 



E 



p{x)jMj^ fc) 




It can be shown that this quantum Fourier transform over G is a unitary matrix 



Note that the Fourier transform over a non-Abehan G is not uniquely defined, 
rather, it depends on a choice of basis for each irreducible representation of dimen- 
sion greater than 1. 

10.5. Fourier Sampling. Applying the Fourier transformation to a superposition, 
we obtain 



For Abelian groups all dimensions dp are 1, hence in that setting we focus only on 
the p. When generalizing this approach, where the (j, k) registers are ignored, to 
the non- Abelian case we speak of weak Fourier sampling. If the hidden subgroup 
H is normal (i.e. if for al a; € G we have xH = Hx), then weak Fourier sampling 
will solve our HS Problem. 

However, in the majority of non- Abelian hidden subgroup problems, weak Fourier 
sampling does not provide sufficient information to recover the hidden subgroup. 
For example, weak Fourier sampling fails to solve the hsp in the symmetric group 
(Grigni et al. [5], Hallgren et al. [TU]) and the dihedral group. To obtain more 
information about the hidden subgroup, we have to focus on not only the p register 
but also the j and k registers. Such an approach is dubbed as strong Fourier sam- 
pling; see [U § VII.C.,§ VII. D]. For some groups, it turns out that strong Fourier 
sampling of single registers simply fails. Moore, Russell and Schulman [16] showed 
that, regardless of what basis is chosen, strong Fourier sampling provides insuffi- 
cient information to solve the hsp in the symmetric group if you restrict yourself 
to measurements on single measurements of (p, j, k) registers. 

10.6. Example: Dihedral/Hidden Shift Problem. The hidden shift problem 
(also known as the hidden translation problem) is a natural variant of the hidden 
subgroup problem. In the hidden shift problem, we are given two injective functions 
/o : G — > S* and /i : G — >■ S, with the promise that 



The goal of the problem is to find s, the hidden shift. 

Consider the case of the dihedral group Z)„, which is the group of symmetries 
of a n-sides regular polygon, including both rotations and reflections generated by 
the following two matrices 





/o(.9) = /i(sg) for some s e G. 




: rotation. 



: reflection. 
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It is known that the dihedral group Dn is equivalent to a semidirect product of 
%lnL and Z/2Z denoted by Tj/nL x: Z/2Z. Roughly speaking, Z/nZ xi Z/2Z is the 
set of a direct product of TLjnL and 'L/2'& whose product is defined as 

for any (/i,A;i) and {12,^2) in "LjnL x 'L/21j. 

We define a function F on TLjnL v\'LITL with the property 

0) = F{x + s, 1) for some s G Z/A^Z. 

Hence, F(Z/nZ, 1) is an s-shifted version of FCZ/nZjO). Ettinger and H0yer [7] 
showed that this hidden shift problem can be solved with only (log n)'^'-"'^' quantum 
queries to the function F, but it remains an open problem whether this solution 
can be achieved in a manner that also efficient in its time complexity. 

10.7. Pretty Good Measurement Approach to HSP. The idea of the pretty 
good measurement is borrowed from quantum optics, and it gives a general approach 
to the problem of distinguishing quantum states from each other. In a pretty good 
measurement, for a given set of possible mixed states {pi, . . . , pm}, we use the 
measurement operators Hi, ... , Il]^J defined by 




For many hidden symmetry problems, the PGM gives the measurement that ex- 
tracts the hidden information in the most efficient way possible from the states. It 
also defines a specific measurement that one can try to implement efiiciently. 

11. Approaches Towards Finding New Quantum Algorithms 

Finding new quantum algorithms has proven to be a hard problem. For students 
and other researchers brave enough to nevertheless try to expand our current set 
of efficient algorithms, the following three approaches are suggested. 

Find more applications of the Abelian HSP: The efficient quantum so- 
lution to the Abelian HSP should have more applications than we currently 
are aware of. By learning more about number theory, commutative alge- 
bra, and algebraic geometric it should be possible to discover computational 
problems in those fields that can also be solved efficiently in the Abelian 
HSP framework. 

Find more appHcations for different Non-AbeUan Groups: The non- 
Abelian HSP for the symmetric group and the dihedral group have well- 
known connections to problems in graph theory and the theory of lattices. 
Unfortunately we do not know, at the moment, how to efficiently solve the 
HSP for these groups. Find computational problems that depend on the HSP 
for groups that we do know how to solve efficiently quantum mechanically. 

Find other useful Unitary transformations: Step away from the HSP 
framework and its Fourier transform all-together and look at other uni- 
tary transformations and see what computational problems are a match for 
other unitary transformations. 
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Appendix A. Group Theory 
Groups are an important notion in algebra and they are defined as follows. 

Definition 1 (Group). A group is a set G together with a binary operation o on 
G such that the following three axioms hold: 
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(1) {a o b) o c = a o (b o c) {association) holds for any a, b, c in G. 

(2) There exists an element e which satisfies aoe = eoa = a for any a in G. 
Such element is unique and called the identity element. 

(3) For each a in G, there exists an element b in G such that aob = bo a = e, 
where e is the identity element. Such an element is called an inverse element 
of a. denoted ar^. 

Definition 2. A group G is Abelian (or commutative^, if its group operation 
commutes (i.e. for all a,b G G we have aob = bo a). 

Example 5. The set of all natural numbers N does not form a group with respect 
to the addition operation, because not all elements a; e N have an inverse —x m N. 

Example 6. The set of all integers Z forms a group with respect to addition, since 
the identity element is and each element a has an inverse element —a. We can 
easily see that the addition on Z is associative. However Z is not a group with 
respect to multiplication, as its multiplicative inverses are not elements ofZ. 

Example 7. Let 



Note that GL2{C) is a subset of M2{C). We see that GL2{C) forms a group with 
respect to the matrix multiplication, although M2(C) does not form a group under 
that operation. The matrix multiplication is associative, and there exists the unit 
matrix I2 that plays the role as the identity element. In M2(C) however, some 
elements A e M2(C) do not have an inverse A~^. 
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GL2{C) := {A e M2(C) | det A ^ 0} . 
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